> Question: How can I make sure that "em2" doesn't become "em0" > if my dual-port NIC dies? This would be fatal for my firewall > setup. At least the antispoof rules _must_ be bound to the > network devices.
Yep, this is an ugly problem. You could have a shellscript at boot scan ifconfig output and associate NICs with their MAC addresses, adding appropriate macros to pf.conf.
